Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0009 ✕ technique: T1567 ✕

Show ATT&CK heatmap
  • Massive upload to SaaS service Informational Identity Threat Module 1 variation

    A user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    3 Hours
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Data Staged: Remote Data Staging (T1074.002)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may upload files to a SaaS service to stage and exfiltrate data from the organization.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were uploaded to determine if they contain sensitive data. Verify if the user account that uploaded the files is authorized to access them. Analyze the file types that were uploaded. Monitor the account for any further suspicious actions.

    Variations

    Massive upload to SaaS service by suspicious user

    Low overridden

    A suspicious user uploaded a large amount of data to an organizational cloud storage. This behavior may indicate that the data is being exfiltrated or staged. overridden